Bug 2313687 (CVE-2024-45810)
| Summary: | CVE-2024-45810 envoy: Envoy crashes for `LocalReply` in HTTP async client | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | jwendell, rcernich, twalsh |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
A flaw was found in Envoy. Envoy will crash when the http async client is handling `sendLocalReply` under some circumstances, such as websocket upgrade and requests mirroring. The http async client will crash during the `sendLocalReply()` in http async client if the http async client is duplicating the status code or if the destruction of the router is called at the destructor of the async stream while the stream is deferred or deleted. This issue occurs when the stream decoder is destroyed but it's reference is called in `router.onDestroy()`, causing a segment fault. This will impact ext_authz if the `upgrade` and `connection` header are allowed.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
OSIDB Bzimport
2024-09-20 00:40:55 UTC
This issue has been addressed in the following products: Red Hat OpenShift Service Mesh 2.6 for RHEL 8 Red Hat OpenShift Service Mesh 2.6 for RHEL 9 Via RHSA-2024:7726 https://access.redhat.com/errata/RHSA-2024:7726 |